Category Archives: Security

Security

The Schwartz is with RSA

Leave a comment

Eddie Schwartz, CSO at a part of RSA (NetWitness), will take on the title of CSO at RSA. This confirms both that NetWitness was involved in the response to the recent RSA breach and that Mel Brooks is a comic genius.

The large and looming issues ahead for Schwartz do not appear to be related to an advanced or a persistent threat (APT), although that is obviously a good topic to drum up sales of security products.

Instead he will have to address the usual, routine and mundane security problems revealed by RSA’s breach blog entry:

  • Role Based Access Controls (RBAC): whether and where low-authority and therefore less-secure systems and users have access to high-value assets
  • Egress Filtering: why outbound file transfers are allowed to unknown or known hostile addresses (e.g. application-level inspection of traffic for RAT in reverse-connect mode)
  • Application sandboxing: why binaries (i.e. flash) are not stripped from Excel using Microsoft Office Isolated Conversion Environment (MOICE) or similar
  • Awareness: if “certain groups” are targeted from the outside, then surely they can be even more easily targeted on the inside for training…like why they shouldn’t execute large email attachments in their spam folder

Zero-day exploits alone do not consitute advanced attacks, not least of all because the definition of what constitutes a zero-day is up for debate. A targeted email list alone does not constitute persistance. But whether or not the breach should get a popular label, congrats goes to RSA for giving me this opportunity to include a Spaceballs reference in my blog.

Security

Surveillance of Drunks

Leave a comment

The Sun suggests a good use for surveillance video in London — making fun of people who are impaired:

Our video of the rolling-drunk reveller tumbling acrobatically down stairs after a do at London’s posh Savoy Hotel has been a huge global hit after being posted here yesterday

Note the cameras monitor the subject’s movements across several different views without anyone entering to offer assistance. Should someone have responded? Was it real or just choreographed?

Food, Security

Facial Recognition on Facebook

Leave a comment

I agree with this general assessment of Facebook

Brad Shimmin, an analyst with Current Analysis, said it’s clear that Facebook hasn’t learned any big lessons from its previous privacy brouhahas .

“Facebook’s repeated methodology of opting all users into new services, particularly services with potentially damaging ramifications, demonstrates a certain disregard for the security and privacy of its users,” Shimmin said.

There is no excuse for Facebook. They just fail and fail again. An opt-in system could be very easily advertised by them. What possible reason could they have to make it an opt-out?

The Facebook blog post does not hide the fact that they want their users to have to dig their way out of facial recognition software.

When you or a friend upload new photos, we use face recognition software (similar to that found in many photo editing tools) to match your new photos to other photos you’re tagged in. We group similar photos together and, whenever possible, suggest the name of the friend in the photos.

If for any reason you don’t want your name to be suggested, you will be able to disable suggested tags in your Privacy Settings. Just click “Customize Settings” and “Suggest photos of me to friends.” Your name will no longer be suggested in photo tags, though friends can still tag you manually.

What’s the supposed benefit of facial recognition technology on a social network platform? Let’s say you are the type of person who uploads a lot of photos of the same person…

Instead of typing her name 64 times, all you’ll need to do is click “Save”…

They are offering to save time for a certain type of user. It does not by any means justify an opt-out philosophy for automatically tagging everyone else, given the risk and privacy issues.

Google built but never launched a facial recognition service. The company was worried about its potential for abuse, says Google chairman Eric Schmidt.

Facebook’s system also brings to mind the problem of what happens if every face in every picture is the same? In other words how long before a clever artist builds a flashmob holding up masks with a picture of someone else to get it automatically tagged hundreds or even thousands of times?

This seems like the obvious answer and a great way to protest the opt-out:

Introducing the Mark Zuckerberg Halloween Mask

Now you too can look like the man who says his plan to “become a vegetarian” is killing and eating animals.

Security

ATM + Pipe Organ = Art?

Leave a comment

A Diebold Opteva 562 cash dispenser has been set into the centre of a pipe organ for an art exhibit titled “Algorithm” at the U.S. Pavilion for the 54th International Art Exhibition.

Each financial transaction that visitors conduct generates a unique musical score that produces randomized notes and chords at varying degrees of volume by driving pressurized air through pipes selected via the ATM keyboard.

I bet the notes are not truly random.

And the second thing that comes to mind are the televangelist priests begging for money and keeping two sets of accounting books. Not sure if that was the idea.

ATMorgan